While I've recently been very critical of the RSA timeline, as soon as I read Art Coviello's second public statement (issued June 6, 2011), I decided to take a closer look at everything that the company has released on the attack and it isn't pretty, especially as it relates to three essential questions:
- What was taken
- How much was taken
- Who was affected
- Art Coviello's Open Letter to RSA Customers March 17, 2011 
- Uri Rivner's Anatomy of an Attack blog post April 1, 2011 
- RSA's Required Actions For SecurID Installations (SecurCare Online Note #1) 
- RSA SecurCare Online Note #2 
- Art Coviello's Open Letter to RSA SecurID Customers June 6, 2011 
Art Coviello wrote in his June 6 statement that "certain information related to the SecurID product had been extracted." Now compare that wording to what the SecurCare Online Note #2 says: "Our investigation to date has revealed that the attack resulted in certain information being extracted from RSA systems. Some of that information is related to RSA SecurID authentication products", which is a direct quote from Coviello's March 17th letter.
Analysis: Both Coviellos's letter #1 and SecurCare's note #2 specified two product sets from which data was extracted. The primary was termed "RSA systems" as in "certain information being extracted from RSA systems". The second was a subset of RSA systems - RSA SecurID authentication products. Coviello's letter #2 contradicts that statement by removing the primary product set altogether but without any clarification as to why. So which statement of Art Coviello's is true. The one from March 17th or the one from June 6th?
How much was taken?
How RSA defines "certain information" sheds light on how much of RSA's IP was taken. According to Coviello's letter and the SecurCare Online Note, "certain information" is defined as everything except what is in the customer's care. Here's the exact language in the Online note:
"To the best of our knowledge, whoever attacked RSA has certain information related to the RSA SecurID solution, but not enough to complete a successful attack without obtaining additional information that is only held by our customers." FAQ question #7 is particularly telling. It asks "Have my SecurID token records been taken?". Instead of providing a direct answer, the FAQ repeats that additional customer data not held by RSA is required to mount a successful attack.
RSA has defined how much data was extracted from its systems with the phrase "certain information not held by the customer" or, to put it in plain English, RSA's attackers took everything.
Who was affected?
None of the initial reports mentioned what Coviello referred to in letter #2 as "our view of the motive of this attacker" meaning the defense industry, and he only confirmed Lockheed Martin after Lockheed Martin had made the news public. More importantly, no mention was made of the attack on L-3 Communications even though an internal company email reportedly said it involved duplicate SecurID tokens.
The presence of contradictory information in Coviello's two statements and between his statements and the SecurCare Online Notes paint a picture of a company that's trying unsuccessfully to hide the scale and scope of this breach from the public, from its shareholders, and from its own customers. Art Coviello confirmed in the most obscure language possible that everything it has pertaining to SecurID was breached; that the only parts not breached were the parts owned by the customer.
Furthermore, if the statement in both RSA's SecurCare Online Notes were accurate, other RSA security products were compromised as well although the extent is unknown. To give you an idea of the possible further scope, here is a product list from the RSA website:
|The RSA Product Finder|
18 Days From 0day to 8K - An RSA Attack Timeline Analysis
An Open Source Analysis Of The Lockheed Martin Network Breach
EMC and Google Lawyers Walked Into A Bar.